Prerequisites Checklist

Before you begin, check that you meet the following prerequisites to ensure a smooth installation process.

Account Privileges

Perform the installation as the local account member of the local or built-in administrators group or as an administrator on the server where you install Tenable Identity Exposure.  The account requires the following permissions:

  • SeBackupPrivilege

  • SeDebugPrivilege

  • SeSecurityPrivilege

Antivirus (AV) and Endpoint Detection and Response (EDR)

Before installing, disable any AV and/or EDR solution on the host. Failing to do so triggers a roll-back during installation. You can safely enable AV/EDR once the installation is complete, but be aware that it may impact product performance due to high disk I/O operations.

Pending Reboots

Perform any required reboots prior to installation. When you launch the installer on a server, it checks the following:

  • There is no pending reboot.

  • The server was restarted properly less than 11 minutes ago.

  • The MSI checks the following registry keys:

    • HKLM: \ Software \ Microsoft \ Windows \ CurrentVersion \ Component Based Servicing \ RebootPending

    • HKLM: \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ WindowsUpdate \ Auto Update \ RebootRequired

    • HKLM: \ SYSTEM \ CurrentControlSet \ Control \ Session Manager -> PendingFileRenameOperations

Service Accounts

The use of service accounts must be allowed on the operating system.

Secure Relay

The VM hosting the Secure Relay must also have:

  • A Windows Server 2016+ operating system (no Linux)

  • Resolved internet-facing DNS queries and internet access for at least cloud.tenable.com and *.tenable.ad (TLS 1.2).

  • Local administrator privileges

  • EDR, antivirus, and GPO configuration:

    • Sufficient CPU remaining on the VM — for example, the Windows Defender Real-Time feature consumes a considerable amount of CPU and can saturate the machine.

    • Automatic updates:

      • Allow calls toward *.tenable.ad so that the automatic update feature can download a Relay executable file.

      • Check that there is no Group Policy Object (GPO) blocking the automatic update feature.

      • Do not delete or alter the 'Relay updater' scheduled task:

Other Requirements

  • Tenable Identity Exposure works with Windows Server 2016 with the latest available update.

  • Tenable Identity Exposure installation program requires Local Administrator rights on Windows Server 2016. If the account used for the installation is the default account, ensure that this account can run programs without restrictions.

  • Tenable Identity Exposure services require Local Administrator rights to run local services on the machine.

  • Tenable Identity Exposure requires a dedicated data partition. Do not run Tenable Identity Exposure on the OS partition to prevent system freeze if the partition is full.

  • Tenable Identity Exposure SQL instance requires the virtual accounts usage feature.

  • When installing or upgrading Microsoft SQL Server after implementing tighter security measures, the installation process fails due to insufficient user rights. Check that you have the necessary permissions for a successful installation. For more information, see the Microsoft documentation.

  • Tenable Identity Exposure must run as a black box. Dedicate each machine to Tenable Identity Exposure and do not share it with another product.

  • Tenable Identity Exposure can create any folder starting with the ‘Alsid’ or ‘Tenable’ prefix on the data partition. Therefore, do not create folders starting with "Alsid" nor "‘Tenable" on the data partition.

  • Erlang: Do not modify the HOMEDRIVE environment variable. The PATHEXT environment variable must contain the .exe and .bat file extensions.

  • If you must set the AD service account of Tenable Identity Exposure as a Protected Users group member, ensure your Tenable Identity Exposure configuration supports Kerberos authentication, because Protected Users cannot use NTLM authentication.

This table resumes the prerequisites in a handy checklist before installation.

Information or Resource to Reserve

Status

The required agreements (NDA, Evaluation Software License), if applicable

 

The choice of architecture (centralized or distributed)

 

The number of active AD users in the targeted domains to monitor

 

The computing and memory resources are based on Tenable Identity Exposure’s sizing matrix.

 

The private IP of each virtual machine used to deploy Tenable’s platform

 

The type and IP address of the update management infrastructure

 

The type and IP address of the time server

 

The type and IP address of the PKI server

 

The type and IP address of the identity provider

 

Open required network flows for each service that Tenable Identity Exposure requires.

 

The private IP addresses of each Primary Domain Controller emulator

 

Creation of a regular user account on each Active Directory forest to monitor.

 

On the specific Active Directory containers, grant access right to the Tenable service account.

 
Grant access for Privileged Analysis if you want to enable this feature.  

The AD domain user account login:

 

A TLS certificate issued for Tenable Identity Exposure’s Web Portal issued from the customer’s PKI

  • Otherwise, inform Technical Lead of the use of self-signed certificate.

 

The list of Tenable Identity Exposure user accounts to create:

  • Required information: first and last name, email address, and desired login.

 

The list of optional configurations to activate (email notification, Syslog event forwarding, etc.)

 

An identified and available project coordinator to work with Tenable.

 

Technical staff to respond to potential technical issues such as network filtering issue and unreachable PDCe.